Slashdot Mirror
Making Sense of Mismatched Certificates?
Ropati writes "I bank with capitalone.com. Recently I went to log in to my credit card account, and my browser reported that the site certificate didn't match the web site I was on. [Expletive.] I'm wondering if I am getting a poisoned DNS URL. I have to log in and do my banking, so I accept the mismatched certificate. The banking site is complete, my transactions are listed but that doesn't mean there isn't a man in the middle attack here. I am still curious how much I have exposed my banking assets." Read on for more, and offer advice on how to interpret what sounds like a flaky response from the bank.
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
Ropati continues "On the Capital One login page, there is a Verisign link on the page to check that the website is suppose to match. So I click on the verification icon and I am rewarded with a link to Verisign. They report that this web site certificate is for onlinebanking.capitalone.com not the servicing.capitalone.com where I log in. Is this the mismatch my browser reported. I know nothing about certificates.
I call Capital One and ask them to fix the problem. If this was a browser issue on my part, then the Verisign link should match. The tech support supervisor, Joe — XRT413, said he couldn't do anything about it and he couldn't escalate the problem to someone who could.
So my questions are: Are the certificates a mismatch or is my browser bellyaching for nothing? Is the certificate mismatch a security hazard? If someone poisoned my local DNS routers would it be obvious in the URL? How would I prevent such a thing? If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?"
This is a misconfiguration on their end. EV certificates, the ones that turn your address bar green and coax turtles into doing happy dances, are really expensive. It's my guess that they've either reused a certificate on another system, or one of their developers made a mistake in how the site and server cluster is configured. It's certainly something to complain about.
If you're ever in doubt about the validity of the certificate or security of a transaction, however, DON'T DO IT!. This goes for standing at an ATM in a shady neighborhood or doing business online.
It's all a scam and we're all laughing at you. While spending your money. Thanks for the good times.
) Human Kind Vs Human Creation
) It'd be interesting to see how many humans would survive to serve us.
Hello, IT, have you tried turning it off and back on again?
Ah... another tech support call. Sure, what's the problem?
Are the certificates a mismatch or is my browser bellyaching for nothing?
Yes. And maybe yes too.
Is the certificate mismatch a security hazard?
Common sense would suggest it wouldn't be in a big popup dialog labeled "WARNING" if it wasn't.
If someone poisoned my local DNS routers would it be obvious in the URL?
No.
How would I prevent such a thing?
Stop clicking "Okay" or "Yes" to every security warning you don't understand.
If everything was working correctly, would the certificate alert me to DNS poisoning, or is this just cosmetic security?
If the certificate isn't properly signed, a warning like the one you were presented with should throw a dialog box in the web browser.
#fuckbeta #iamslashdot #dicemustdie
Seriously, there's a bank on every corner. Unless you have some compelling reason to stay with Capital One, open an account elsewhere. You don't even have to close your Capital One account -- save it as a backup.
That's what I did when Bank of Texas (aka Bank of Oklahoma) added so-called "security questions". The first time I failed at answering "What was your first pet's favorite food?" (or something similarly stupid), I changed my direct deposit to put $1 a paycheck there, and move the rest to an account at a financial institution with a better understanding of Internet security.
Speaking of financial institutions, why are you still banking at a for-profit (ha!) institution, anyway? I've got one credit union that doesn't charge an overlimit fee on my credit card, and another that's paying over 4% interest on my checking account. Why can they do that? Because they didn't take stupid risks 10 years ago. I should know -- they wouldn't give me a home loan. The bank that did was first in line for a taxpayer bailout.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
Seconded. The certificate is correct.
I don't know what that verisign link is all about but it is useless.
You certainly cannot trust information within a web page to verify the identity of the server.
Click on the the little 'lock' icon on the bottom right corner of your browser to inspect the certificate.
The first thing to note is that SSL covers the host-to-host connection and is ignorant of higher-level protocols. There are a couple of things which can cause SSL mismatches:
1) SSL cert is set up to one hostname that the machine services, but site is on another. The SSL negotiation happens prior to the host headers being processed. This could be solved by browser controls (i.e. do a rDNS lookup on the cert's host and make sure it matches the IP you are connecting to), but this ends up causing other, more serious issues, because different sites on the same server could be controlled by different parties. Hence if you have a shopping cart, I could re-use your cert on my shared site on the same box, spoof your page, and steel credit card numbers. So the browser behavior is correct.
2) The SSL cert could have been accidently re-used (unlikely).
My general rule is that if the hostname's TLD matches with the cert (capitalone.com), but the most host-specific portion does not (servicing vs online banking), this is reasonably (though not completely) safe to ignore. Revoked certs should ALWAYS be treated with suspicion because you don't know why it was revoked. Expired certs.... Well, it depends. There are other things that can cause certs to be improperly shown as expired so that demands more careful consideration.
LedgerSMB: Open source Accounting/ERP
Exactly. They were stupid. They gave a server an alias, and didn't realize that it will throw an error to the clients. It probably worked fine in their dev environment though, where they probably accepted the wrong cert and saved the exception because they got tired of clicking the link. :)
Being that he ignored the error, didn't view the cert to see what it was really assigned for (and continued on to give his login information), it proves that most users don't really care, and will provide their security credentials regardless if they've been warned that there is a problem or not. The cert could have been for bad_haxor_inc.ru, but since he didn't look, he doesn't know.
We have to assume that it's a mixup with the servicing.capitalone.com and onlinebanking.capitalone.com hosts, but we don't know.
Why didn't they just buy a wildcard cert? They're so much easier to work with. :)
Serious? Seriousness is well above my pay grade.
This reminds me of an story. A friend and I were moving a heavy couch and at an inopportune time he got flustered and said 'Hold on, we need to put this down and take a break'. We did, finished moving it later and that was that.
About 6 months later out of the blue he explained to me that he had to put the couch down because the apparently strained a bit too hard and pooped his pants.
I have no idea why he told me, much less told me 6 months later. He was kind of a weird guy.
The moral of this story is:
If you do something embarassing or stupid and privately get away with it, don't tell anyone.
What is "Cap It Alone"?
Doesn't sound like a website I'd entrust my financial information to...
An ID Thief opened a Capital One account in my name. They had my name, address, SSN, and DOB, but got my mother's maiden name wrong. Capital One approved the card anyway. Then, when the thief immediately changed the address (from mine to another address), before even activating the card, it didn't raise any red flags in their systems. Then, when the thief tried to get a $5,000 cash advance on the card (still not activated), it didn't raise any red flags in their systems (though they denied the advance). Then, when I called them, they refused to give me any information on the theory that I could "go and shoot the guy and they would be liable." Instead, I had to have a police officer call a special "cops number." The police officer called that number and got a recording which apparently no one ever returned phone calls from. At every step of the way, Capital One seemed to be going out of its way to protect itself *from* me and my ID Theft investigation instead of caring about the fact that it was an accessory to ID theft. Needless to say, I won't ever do business with Capital One again.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
You're end up in some call center and the agent will have no clue what you're talking about -- they will recommend clearing cookies, restarting the browser (and maybe switch to IE). The message will never get up the food chain. The only real way to get the message is to close your account and switch to a bank that takes sucurity seriously.
Web browsers should not allow access to sites with messed up security. If all browsers errored out, sites like this would be unusable and would get fixed. Putting up a warning that the user learns to ignore is just crying wolf. People learn to ignore such things - so why implement them at all?
I don't really understand why any individual with regular "banking" needs would use a bank today. Credit unions are non-profit, and generally, because of their structure, are run much better than banks are. My credit union has been impacted 0% by this banking mess stuff. I'm earning 4% on my PERSONAL CHECKING account, and not paying any fees. I also have all of my business accounts, and my mortgage with my local credit union.
Credit Unions: Like banks, but cheaper, non-profit, less corrupt, no over-paid executives, and not out to screw you over.
certificates should be purchasable for whole domains
They are. You don't have to buy a new cert for every subdomain. If you have a lot of subdomains to secure the best solution is to get a wildcard certificate.
DO NOT continue banking online, and call them to let them know of the problem. Continue banking over the phone or in person (I know..it's a pain in the ass compared to doing it online, but it's nothing compared to having to deal with identity theft).
OK, your bank screwed the pooch and you should complain - LOUDLY - until it's fixed. You should also look for a bank that understands basic internet/web concepts like "SSL cert's CN must match DNS hostname" -- I fear for the rest of their infrastructure.
That said, you were logging into your bank, which presumably holds a large percentage of your cash assets, you received a SSL error and you continued the transaction?
You deserve to have your account cleaned out for reckless disregard for the security of your financial information. Go to a brick-and-mortar bank, or call them on the telephone (*gasp*) if your banking is so urgent.
/~mikeg
Comment removed based on user account deletion
It also works for me. I bank with Capital One, and in fact the link in the summary is the exact link I have stored in my bookmarks. I have never had certificate trouble with that link. I'd watch that account closely if I were you, and perhaps change your passwords if you use the same password elsewhere.
Similar thing happens whenever I try to log into my virginmobile account. https://virginmobileusa.com/ has a certificate for www.virginmobileusa.com
Something strange is going on here. Capital One's main site returns a certificate for the correct domain, but the certificate is invalid. This isn't a wrong-domain issue; the cert is bad. CN="www.capitalone.com", the dates are valid, the issuer is Verisign, but it won't validate in Firefox. Our own system, SiteTruth, which uses OpenSSL, also indicates it's no good. But neither Firefox nor OpenSSL is producing a useful error message. It looks like this certificate is either corrupted or bogus.
The location ("L") in the cert is Glen Allen, VA. Capital One has a facility in Glen Allen, according to Google, and it looks like a huge warehouse. So that's probably their data center, at 4871 Cox Rd, Glen Allen, VA - (804) 270-4104.
A traceroute ends at "capitalone-gw.customer.alter.net", which doesn't mean much one way or the other.
Their stock has dropped from 55 to 12 since September 2008. If you have any money in there above the FDIC insurance limits, get it out now..
It looks to me as though IE 8 does just this. The matched part of the url is in a bolder face than the rest of the address. Cool!
Capital One IT staff: "Oh shit, we're on /."
2nd C1 IT staff: "Oh fuck. I'll bet it's the certificate."
*phone rings*
"Oh shit, it's the CTO's number."
CTO: "Why the fuck are we on slashdot's front page?"
And presto, Capital One's certificates have been fixed.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
What's "capping it", and why would I want to do it alone?
You can't get wildcard EV certs.
Xfce: Lighter than some, heavier than others. Just right.
Tell me now, why do we need to protect the counterparties in the derivatives contracts? Shouldn't they have been aware of the risk involved? Just look at it this way: Company A offers credit default swaps against securities to protect lenders in case of default. Company B says, "Hey, that sounds great! Small premium for such a policy!" But Company B should considering, "Hey, they only way we'll need this insurance is if there is a catastrophic collapse. But if that happens, Companies C, D, E, ..., Z are all going to be asking to be reimbursed along with us! And why should we think Company A has anywhere near enough capital to insure all of those companies in case of default?" Company B should be asking Company A, "Hey, do you even able to insure this?" And the answer would be a resounding "No" (or a bald-faced lie that would be easy to uncover).
The simple fact is, these companies didn't even think about what would happen if AIG couldn't cover all the swaps. Because nobody could cover all those swaps. Let AIG fail. As far as the banks who are counterparties, let them go into receivership, wipe out the shareholders, and sell off their assets to pay off as many debt holders as possible. That's what the FDIC is for; maybe we should use it for something other than a moral hazard provider.
Self-signing is the only sensible way to use certificates.
CAs should only be used in the same way that USians use notary publics. The certificate should be treated like a notary's seal. (And priced the same.)
But the CAs can't even behave like notaries until they get proper time stamping implemented.
The standard itself was never debugged, and every purveyor of snake oil fudges whatever part of the standard that gets in the way of their patent formula.
Sorry to be negative, but it gets kind of fatiguing, watching the other guy making all the money doing everything wrong. Yeah, that's part of believing in freedom, but it would help if the other believed in it enough to at least try to do it right.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
If you suspect you're visiting a phishing site, try first entering the WRONG password. Since the fishing site shouldn't know your true password, it will just accept the incorrect one and store it away for the purpuse of dastardly use later on. If the site rejects the incorrect password, then accepts the true one, you know you're OK. Right?
I am not left-handed, either!
Electronic banking is heavily regulated. If you feel your concerns are being taken seriously by the bank you need to head on over to the federal reserves website and file a complaint. The Federal Reserve will forward the complaint to the correct regulating facility and banks will respond or be fined.
http://www.federalreserveconsumerhelp.gov/
Whenever I run into a cert mismatch, I check the site IP (fairly straightforward in FF). Then I do a search on the IP against whois databases (ARIN, RIPE). If I see, that the IP is registered to the organization that is supposed to be serving me (and not just an IP reseller), I grant a temp exception and send an email to the staff of the service provider (the whois databases usually have that info) and tell them they've screwed up.
For online banking, I have one-time passwords, issued by the bank (it's a two-phase process). But I've never run into a cert mismatch on a banking service yet.
Every problem has a solution that is simple, easy and wrong. Selling our Liberty for a little Security is a much too de
You are exactly correct, except it was the CEO's son who happened to be browsing /. and gave his dad a call and explained what it meant. On the plus side, the policy team (who made this particuar call) is getting their backsides roasted just now...ah, schadenfraude.